Table of Contents

How to Quickly Strengthen and Simplify Amazon Cognito with Strong Multi-factor Authentication, Passwordless and Passkeys

The moment Transmit Security partnered with Amazon Web Services (AWS), we became the first AWS Advanced Technology Partner to provide true passwordless multi-factor authentication (MFA) for Amazon Cognito. Since then, we’ve been helping companies fortify authentication with passwordless, passkeys and other MFA methods within Amazon Cognito. Transitioning customers away from passwords is the first line of defense against the growing volume of account takeover (ATO) fraud.

News headlines continue to remind us that authenticating customers with passwords is a losing gamble, even if your customers use a password manager to create impossible-to-remember, nonsensical letter-character-number combinations.

Earlier this month, media outlets revealed the 2022 hack of password manager LastPass was far more damaging than first reported. The Boston Globe states, “the intruders were also able to steal the customers’ “vault data” — the encrypted files containing passwords and other sensitive data stored by LastPass’ 33 million subscribers.” 

Granted, LastPass encrypts passwords, but with the luxury of time and password- cracking automations, the hackers will eventually pull off large-scale account takeover (ATO) fraud, gaining full access to millions of accounts, account information, credit cards, bank accounts and even medical records.

ATO fraud nearly doubled, climbing 92% YoY, according to a 2022 study by Javelin Strategy & Research. Perhaps more eye-opening is the fact that ATOs are #2 among all cybersecurity risks, second only to malware! That’s a wake up call. The same study projects that ATOs will soon surpass malware as the #1 security concern.

It’s why companies using Amazon Cognito are looking to fortify or replace multi-factor authentication (MFA) with stronger passwordless methods. To meet the demand, AWS and Transmit Security have partnered, making it faster and easier for companies using Cognito to implement true passwordless authentication.

Secure & simplify the customer journey

By integrating Transmit Security within your AWS apps, you’ll make it faster and easier for customers to open new accounts and log in with fingerprint or facial ID, passkeys or other strong authentication methods.

Transmit Security’s passwordless MFA service extends FIDO2 biometric authentication across all devices and channels — so your customers can access all that you offer on any device. Customers who choose to use biometrics will never need to use a password, which means you can gradually phase out passwords, and over time you’ll eliminate them completely.

Why Replace Passwords and Basic MFA?

MFA is essential to fend off the growing volume of account takeover fraud. But for many organizations, SMS one-time passcodes (OTPs), magic links and authenticator apps add more friction than their customers will tolerate.

More importantly, these multi-step MFA methods are still vulnerable to smishing, man-in-the-middle and other attacks, resulting in a clunky customer experience (CX) that is susceptible to compromise.

Compliance: Is Your MFA Strong Enough?

To comply with security regulations like PSD2’s Strong Customer Authentication (SCA), most financial services use SMS OTPs or an authenticator app. But the added friction of having to download and use an app reduces the customer adoption rate, and OTPs can lead frustrated customers to call support or drop off entirely.

The combination of an OTP and a password technically meets the requirement for two factors, but this won’t prevent ATO fraud if the device is infected with spyware or the session is hijacked. To take over accounts at scale, hackers are now using OTP interception bots that make it easier than ever to snag passcodes in transit. Plus, some bad bots bypass OTP authentication altogether.

How Passwordless MFA Works Differently

When you authenticate customers based on FIDO2, the most current set of passwordless standards by the FIDO Alliance, you know who is accessing the account. And, if done correctly, you completely eliminate shared secrets — not just passwords but OTPs and all data that could expose you to attacks.

With true passwordless authentication, customers simply use a fingerprint or facial biometric to achieve the strongest form of MFA in one simple user action. Logging in is faster, easier and vastly more secure.

How is it multi-factor? Only the real customer’s biometric (inherence factor) unlocks a private key (possession factor) stored on the user’s device.

What’s to prevent the biometric and private key from being compromised? By leveraging public key cryptography (PKI), the biometric and the private key remain secure, never leaving the user’s device. The private key signs the authentication challenge, and only the signed challenge, void of any sensitive data, is sent over the web. On the receiving end, the matching public key is used to verify the challenge. It all happens in a few seconds, and you’ll know who the individual is with a high level of confidence.

Key differentiators to look for in a passwordless solution:

  • MFA by design – methods should include FIDO-based passwordless.
  • With or without an app – gain flexibility to optimize CX and security as needed
  • Omnichannel experiences – let users move across channels with a single identity
  • Multi-device support – enable users to login from any of their devices
  • Ease of deployment – plug-and-play services optimize all scenarios and flows
  • Continually updated for compliance – stay in compliance with a service that’s continually updated to meet the latest requirements

Integrate Transmit Security passwordless MFA with Amazon Cognito

With Transmit Security one-step passwordless MFA, you can now fortify Amazon Cognito by authenticating customers based on their true identities. Your customers only need to register one account with your business and then log in with a fingerprint or facial biometric on any channel, using any of their devices. Our unique device-binding method makes it easy and secure for customers to transfer trust to any of their devices, binding them all to one unified identity.

Our cloud-native service works alongside all methods of authentication provided by Amazon Cognito and supports other implementations like FIDO passkeys, an extended version of FIDO credentials. This allows you to give customers login options that satisfy their preferences, while enhancing your security posture. Over time, you’ll be able to transition all customers to passwordless.

Visit AWS Partner Network blog for a simple step-by-step guide on how to configure Transmit Security passwordless MFA with Cognito. You can customize or brand the UI and roll out hundreds of user flows out of the box. It’s easy to set up secure and smooth password-free experiences across all channels and devices.

Speed time to market

Transmit Security gives your developers pre-built user flows via easy-to-use APIs and SDKs, expediting the time to build and customize passwordless MFA. Our modular customer identity and access management (CIAM) services include:

Passwordless & MFA Service

  • Biometric, passkey and social logins, magic links and one-time passcodes

Risk, Trust, Fraud, Bots & Behavior Detection Service 

  • Real-time protection against account takeovers — from session hijacking and device spoofing to credential stuffing and man-in-the-middle attacks 

Identity Verification Service

  • Identity verification with AI-powered biometric matching, selfie liveness detection, document verification and rapid background checks

Secure the Full Identity Lifecycle

By removing customer passwords, your greatest security risk is gone. But today’s more sophisticated account takeover (ATO) fraud can compromise customer accounts before, during and after the login. By implementing passwordless MFA along with the Transmit Security Risk, Trust, Fraud, Bot & Behavior Detection Service, you’ll close the security gaps across the full identity lifecycle.

Real time risk and trust assessments correlate hundreds of signals to detect signs of ATO fraud anywhere in the customer journey — from registration to account recovery and every step in between. Any time risk is detected, you can challenge the user with true passwordless MFA or any other form of authentication. Together with Amazon Cognito, you’ll gain a formidable defense against ATO fraud.    

Explore what you can do with Amazon Cognito and Transmit Security. Or better yet, get started with our technical blog on how to integrate passwordless MFA in 7 simple steps.


  • Danny Kadyshevitch, Senior Product Manager

    Danny Kadyshevitch is a Senior Product Manager at Transmit Security previously building and leading product management for the company's Passwordless and MFA Services and is now running PM for Account Protection Services. Prior to Transmit Security, Danny has an essential experience in the domain of cyber security, after serving in the 8200 intelligence unit of IDF and spending 7 years in Microsoft's Cloud Security division.